News about the Heartbleed vulnerability is spreading around the world, accelerated by today’s investigation by Revenue Canada that its systems might be compromised.
You can check your organization’s vulnerability, or any Web site by going to this site and entering the name of a domain or a URL to test.
Personal computers aren’t at risk unless they are acting as a server.
“The government’s is doing the right thing,” by shutting down its site, says James Arlen, Hamilton, Ont. -based senior security advisor at Leviathan Security Group. “The bug permits the remote read of the contents of the server’s memory. Until it’s patched (and certificates reissued with new keys) there is a real risk of leaking the entire memory contents of the affected server.”
“Almost everybody who’s got SSL (secure socket layer) needs to apply the patch and generate a new private key,” he said. His firm has fielded many calls from concerned customers since Monday who needed the patch, he said. By now most have already fixed; the others need final testing.
According to a blog posted by Ivan Ristic of Qualys Inc., which posted the SSL Labs test, Heartbleed is the result of a coding error in the OpenSSL 1.0.1 code released in March 2012 that allows an attacker to trick an affected server into disclosing a large part of what’s in memory. It’s the OpenSSL’s implementation of the TLS (transport layer security) ‘heartbeat’ mechanism – hence the name of the bug — which helps keep connections alive without continuous data transfer.